I believe Zero Trust (ZT) architecture is the next generation security model for on-premise as well as hybrid and cloud-based systems. In my research of this relatively new topic, I found only a handful of resources available. To share what I know and to provide a baseline for your own exploration of ZT architecture, I created a simple website at www.zerotrust.info. Please feel free to visit and check out the list I compiled. Also please share with me any notable information sources that I might have not included in my modest catalog. Thank you very much!

I think the essential mindshift is something I told my CISO at Cardinal Health around 2012 that pissed him off a little bit - "The internal corporate network is just the part of the Internet that we own, and it's a little less safe than Starbucks."

If you stop thinking about your corporate network as trusted (because, truly, it shouldn't be trusted) then you arrive at the zero trust model. Anywhere you have users clicking on things in their email and browser, that's not a trusted zone.

What I think is more viable is what you can find in the Information Security Management article, which is an enclave model, a locked down fortress internal in the network where the crown jewels are stored. To actually achieve this, however, you need to break credentials at the firewall to that enclave, and treat it like a different company. If the backup, monitoring, patch management, orchestration, security monitoring, and change control accounts are the same in the unsecured zone and the enclave, then you're kidding yourself.

Thank you very much for such a detailed response and for all the links that you provided! I sincerely appreciate it. I also love your assessment of what corporate network really is today. What a wonderful way to put it! May I quote you on the homepage of my new knowledge sharing portal www.zerotrust.info?

One of the most potent business strategic thinking ideas I have found in my research and practice is to imagine that one's products are free. Such "preposterous" idea makes one think really hard about how to deliver new value to one's customers. I think, your message to the CISO is right on the money in the very same way--it forces the "now what?" approach to making a corporate infrastructure significantly more secure. Unpleasant as it might be, this is akin the muscle pain we feel after a good physical exercise. No pain, no gain. Thanks again!

Sure. Just to clarify, don't quote Cardinal's name. I said the quote while I worked there but it wasn't because Cardinal Health had insecure networks. In fact, they have a robust security program. I think this is true of any firm. Wherever you have users clicking on links in email & browsers, you have an attack surface. Most organizations have flat networks, and you have an (N)^2 problem with that attack profile.

Your typical Starbucks public WiFi network has maybe 30 nodes, with hugely variant security, but most are likely not terrible, and auto-patch is quite common now on consumer desktops. It's a low-utility network that really only does a few things - legal opt-in to T&Cs, metering, DHCP, DNS resolution, IP gateway services, content filtering, and some traffic isolation. That's about it. It's not uber high-security, but it's low-utility and low-volume, so small attack surface. (N)^2 where nodes are 30 = 900.

Compare this small, relatively secure network with 50,000 or 100,000 endpoints on a typical large corporate network grown organically over 20+ years. (N)^2 where nodes are 50,000 = 2,500,000,000

Worse, you'll typically find one or more of these to be true:

500 consultants using Goodness-only-knows-what as their compute platform

10 vendors a day connecting in

rogue switches & access points

VPN accounts that got handed out from time-to-time to non-employees

test/dev/QA parked in production network (yes, the _CODE_ is Dev, but the server & network are prod)

Shadow IT

IoT that walks in the door

Modems for fax support

a huge stack of firewall "open" requests, with an empty box of "close" requests

likely no tracking of ownership of firewall rules, or governance

rules that folks are afraid to turn off/ turn on

that one firewall where the last command is PERMIT ANY ANY

(I've found 2 in my career. Yup, they tried to blacklist the Internet)

BYOC - Bring Your Own Computer

(likely unsecured) printers

those guys that installed a hypervisor and are running a few rogue operating systems on their desktop

hundreds of third parties that connect into your infrastructure to perform support & maintenance

DevOps teams likely able to download & install as needed

broad use of collaboration sharing technologies where the user clicks "Share my Desktop"

likely pockets of internet-facing test

That creates quite a mosh pit. While much of it is armored, in the aggregate, it's like a flotilla of mixed battleships, destroyers, tankers, cruise ships, bass boats and leaky sailboats. LOTS of surface area, lots of targets.

One of the deep down fundamental problems of the 'Zero Trust' model(and just for clarity I think it's one of the best paradigms around is keeping everything operating while moving on to it, nothing kills an initiative like stopping services eve if borking 'The old expensive thing that sits in the corner and Spoils Everything if it isn't kept fed with copious unsigned PE files and access databases via NetBEUI...TM' might be a blessing in disguise.

Google's BeyondCorp framework is probably the most talked about vendor neutral effort, and as a model I think makes a lot of sense https://cloud.google.com/beyondcorp/. It's also a pretty good antidote for the Zero (Rabid) Trust Person who will soundbite it in meetings and then build layers of evermore tenuous argument on top of knowing the buzzword and trying to panic someone into buying/committing/etc into making something 'Secure' but really failing to understand what they are doing.

"And, now by the power of Opsware's global root access I shall now put all the HP-UX boxen into trusted mode, It is done, we are impregnable!"

"Impressive... could you just connect to one of them so we can take a look?"

Thank you for your great comments and the jolly tone! You are right--don't trust my website at least at the offset! Thank you for the Google's BeyondCorp link! The portal is a treasure trove of great research information. Have a great weekend!

Social Media

All contents of this site constitute the property of (ISC)², Inc. and may not be copied, reproduced or distributed without prior written permission. (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered certification marks of (ISC)², Inc.